Should Privacy Guides require open-source, source-first or source-available as a criteria for all tools?

i’m not talking about security, i’m focusing on privacy here.

and no, closed-source software is unacceptable when you try to have privacy on your computer, period. privacy and closed-source software have always been and will always be mutually exclusive.

http://blog.nowherejezfoltodf4jiyl6r56jnzintap5vyjlia7fkirfsnfizflqd.onion/opsec/closedsource/index.html

"Hey, i just wrote this code, i compiled it, it gave me this .exe file, run it on your computer!

What? You want the source code ? Hell no, just trust me bro!"

Nah man, the only way you can trust software to not spy on you, is to be able to read the source-code, and validate that it’s not filled with telemetry/spyware, etc. And then to make sure that you have the exact binary you’re supposed to have, you compile it yourself.

Anyway, this is the ABC of opsec, i’ll try to stay optimistic and believe that you’re acting out in good faith and have just been misled, but you can’t trust this random executable, coming from this random piece of code i wrote that i refuse to show you

3 Likes

cool.
My focus was on privacy too but more importantly making a point about open source.

Tell me, what benefit does open source give to my nan who cannot and will never be able to read the source code?

Also there have been many cases in which open source projects where backdoored, while there have been many closed source projects that have had a great track record for years and didn’t screw over their users.

Look, I to believe the FOSS is generally preferred to closed source solutions, but it is not the end all be all.
We have readers from all walks of life with lots of different threadmodels, and absolutist statements don’t work for us, you have to take in a little nuance.

3 Likes

Maybe there could be something like a filter or setting for the recommendations like “Show only FOSS recommendations”?

This way all parties could be happy I guess.

1 Like

there have been many closed source projects that have had a great track record for years and didn’t screw over their users.

A good track record of what exactly ? Just because the users aren’t able to determine if the adversary (here, the ones writing the closed-source software) is spying on them and screaming about it on twitter, doesn’t mean the adversary is not actually spying on them through the actual software without them being aware of it.

In any case i’d love to see you guys actually officially suggest people use closed-source software for privacy, it’d be a pleasure to write a blogpost about it from my end, and not in a good way lol

What are you guys going to recommend next ? People should use Windows too ?

2 Likes

We do recommend certain closed source options in certain sections, within good reason.

Again, you are free to have have your own opinion about this and agree with us, we have an open community and try not to be and echo chamber, sacred cows and all that, but I must say I dislike the negative tone and would kindly ask you to tone that down a bit.

P.s. we do not recommend Windows, but we do have Windows recommendations as moving to linux is not feasable for a lot of people. :slight_smile:

1 Like

if you dont mind, where do you guys recommend that closed source software ? i didnt find it

For example.

2 Likes

There are quite a few closed source options that we haven’t officially recommended yet. Most of the journalists and organizations I had worked with relied on software like Tresorit, Threema, or even Apple Notes. Enterprise support is really important for these folks, especially in professional workflows.

For example, I would much rather have a journalist or activist use iOS’ recent voice memo transcription feature because of Advanced Data Protection. There aren’t a lot of good FOSS voice transcription tools that offer seamless encryption and cloud syncing. Not stating that it’s impossible to do so…but it is so much easier telling someone to enable a setting on their iPhone rather than to install and configure FOSS alternatives.

2 Likes

@Niek-de-Wilde

We do recommend certain closed source options in certain sections, within good reason.

From my approach i segment it like that :
-Public use (you are under surveillance when doing something)
-Private use (you are not being watched when doing something)
-Anonymous Use (Your identity isn’t known when doing something)
-Sensitive Use (You can deny having done something)

Just to make sure i’m not misunderstanding the recommendations here, you guys aren’t recommending closed source software (like safari for example) for private use right ? I just dont understand what windows / macos recommendations have to do in “privacy recommendations” as privacy is just not possible to have on those operating systems.

@KevPham

For example, I would much rather have a journalist or activist use iOS’ recent voice memo transcription feature because of Advanced Data Protection.

Oh so it’s OK to use closed-source software for private use if there aren’t other FOSS alternatives ? is that your point ?

I disagree with the approach big time if that’s you guys’ attitude here, just because users are attached to the MacOS/Windows ecosystem doesn’t mean you should spread this massive lie that they can achieve privacy with either of those, because it’s not possible due to the closed-source nature of those OSes.

Really, the first privacy tutorial i wrote is to just get rid of either of those, and to install linux instead, because otherwise privacy will never be a thing for the user on closed-source host OSes, i hope you guys are aware of that, and that you are not trying to mislead your audience (which i have all the respect in the world for) into a false sense of privacy.

1 Like

Why is privacy not possible for Windows? Especially with Pro and Enterprise versions it is possible using GPOs.

FOSS doesn’t mean it is always secure and private. It only means code can be reviewed by other people but it doesn’t guarantee a fix to a bug or security concern when found.

1 Like

May I also mention O&O ShutUp10. Mostly this is reserveed for home editions or users who somehow dont have acess to GPOs

My emphasize was on secure use in professional workflows…not private use at home. It all really depends on your threat model. I’m not stating that closed-source tools are always better than open source or vice versa (I in fact prefer FOSS whenever possible) but that specific usage case in the professional world shows an example where closed-souce might be better than open source.

2 Likes

And do you think MS is above the data privacy laws? Just because you are not able to see the source code, doesn’t mean you can’t edit the settings of the OS.

Have you ever tried using group policies? Have you ever worked in an enterprise environment or did system management? Just saying Windows bad Linux good is not helping. I can tell a lot of bugs and vulnerabilities with Linux too, especially SUSE and Redhat servers which I am working on.

If your concern is only telemetry and you don’t want to bother with group policies or registry settings or Windows settings, just use a 3rd party DNS like NextDNS, Control D or Adguard to block them all.

1 Like

Very simple, you can’t read the sourcecode of your operating system, you don’t have any visibility on what it is doing. So you can’t tell if your operating system isn’t spying on what you’re doing.

Have you ever considered that Linux, BSD etc. Are not necessarily operating systems itself but kernels? For some distros this could be the only “open part” of it, Look at RHE (Red Hat) Linux and especially thier scandal paywalling the source code. It is not a be all and end all for operating systems to be open source and there are many options to limit if not completely disable the telemtry/data collection microsoft does. If not with GPO there’s also the registry that MIcrosoft exposes.

well, Signal operates in the US too, makes no sense. SimpleX also operates in the UK, not the best country too the UK as they have both a good but also the worst privacy law in existence. (at least iirc)

privacy is possible with closed sources (yes there is the “we cant read code so we cant say”) but lets take the words of that anywho, if say KDE was closed source still but still allowed you to disable or customize the telemtry completely, you basically would not trust it to do that? Especially if a software or OS has been audited and that audit includes the data collection practices confirmation which helps even better for the closed source software rather than taking their word for it.
and Again with microsoft opening the registry(to everyone) and Group Policy(to Pro/Enterprise or Education or something), you have full control of the windows operating system anyway which can include removing any annoyances and/or privacy/telemtry/data collection on the deeper level.
again I also mentioned the O&O SHutUp10 tool remember? Edit: yes I can admit im wrong, this is the TPCSC channel one, the one I was talking about was:

That video doesn’t support your argument; it undermines it. Yes, Windows is privacy-invasive by default, but that video only demonstrates how we can transparently see the connections Windows makes and potentially block them at the network level if so desired (in spite of the source code being proprietary).

1 Like

We try and look at privacy as a journey where you can make gradual improvements, rather than as an all-or-nothing binary.

For example, if someone was using Gmail and Windows, and they switched their email provider to Tuta, that would still be a substantial improvement to their privacy even if they haven’t switched their operating system yet. And maybe it will inspire them to make more private choices including switching to Linux in the future.

In this vein though, we recommend a variety of tools that can be used as alternatives to common software on many platforms, including closed-source ones like Windows and macOS.

This is why we have a strong preference for open-source when possible, but we do also recommend closed-source tools when they are the most private and/or secure available option in the category.

See also: Common Misconceptions - Privacy Guides

4 Likes

Privacy is not 1-0 its a spectrum. We do not recommend windows if one has the choice, but we CAN atleast make recommendations to make it better if you need to use it.

3 Likes

Privacy actually is binary, you’re either being watched or you are not being watched.

You may be watched by 100 different adversaries right now on windows or macos (regardless of how you configure your google chrome or safari), privacy is definitely not there for you

If you’re being watched by one adversary, privacy is also non-existant for you. All it takes is to tolerate the presence of a single closed-source software.

No, Privacy is when you have 0 adversaries watching you right now. The average joe out there may not like it but that’s how it is, there’s no sugarcoating this, you either have a FOSS host OS or you don’t, and obviously every app you use in that OS should be FOSS too.

Just say that any closed-source software you recommend is only suitable for public use and NOT private use, if you really want to be honest to your audience, it’s not complicated

1 Like